pool/nsd
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9351d7e6dc
nsd/nsd.service

45 lines
1.1 KiB
SYSTEMD
Raw Normal View History

- update to 4.0.0 see /usr/share/doc/packages/NSD-4-features for the important changes - added systemd support OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=17
2013-12-29 05:30:31 +01:00
[Unit]
Description=NSD DNS Server
After=syslog.target network.target
[Service]
Accepting request 924959 from home:stroeder:network - reworked nsd.service: * directly start as User=_nsd * even more hardening * removed commented and unused directives FWIW: This was successfully tested on Tumbleweed x86_64. OBS-URL: https://build.opensuse.org/request/show/924959 OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=90
2021-10-12 22:46:21 +02:00
Type=simple
PIDFile=/run/nsd/nsd.pid
ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf
ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state
User=_nsd
Group=_nsd
Accepting request 924899 from home:jsegitz:branches:systemdhardening:server:dns Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/924899 OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=88
2021-10-12 21:53:30 +02:00
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
Accepting request 924959 from home:stroeder:network - reworked nsd.service: * directly start as User=_nsd * even more hardening * removed commented and unused directives FWIW: This was successfully tested on Tumbleweed x86_64. OBS-URL: https://build.opensuse.org/request/show/924959 OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=90
2021-10-12 22:46:21 +02:00
# end of automatic additions
# even more hardening options
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
Accepting request 925092 from home:stroeder:network - set RestrictAddressFamilies= in nsd.service OBS-URL: https://build.opensuse.org/request/show/925092 OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=91
2021-10-13 14:52:27 +02:00
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
Accepting request 924959 from home:stroeder:network - reworked nsd.service: * directly start as User=_nsd * even more hardening * removed commented and unused directives FWIW: This was successfully tested on Tumbleweed x86_64. OBS-URL: https://build.opensuse.org/request/show/924959 OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=90
2021-10-12 22:46:21 +02:00
PrivateTmp=yes
NoNewPrivileges=yes
MountFlags=private
LockPersonality=yes
KeyringMode=private
RestrictNamespaces=yes
RestrictSUIDSGID=yes
DevicePolicy=closed
MemoryDenyWriteExecute=yes
SystemCallArchitectures=native
Accepting request 931273 from home:stroeder:network - adjusted SystemCallFilter= in nsd.service OBS-URL: https://build.opensuse.org/request/show/931273 OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=92
2021-11-13 23:46:24 +01:00
SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @resources @pkey
- update to 4.0.0 see /usr/share/doc/packages/NSD-4-features for the important changes - added systemd support OBS-URL: https://build.opensuse.org/package/show/server:dns/nsd?expand=0&rev=17
2013-12-29 05:30:31 +01:00
[Install]
WantedBy=multi-user.target
Reference in New Issue Copy Permalink